Internet Explorer comes out on top against Phishing

NSS Labs, an independent security research group, found that Internet Explorer 8 was the best browser tested at thwarting phishing attempts. Firefox was statistically tied with IE for first with Opera and Chrome bringing up the rear. Safari was the real loser of the group with only 2% of phishing attempts blocked and there was no difference between the Mac or Windows client.

Phishing is a way in which a hacker lures an unsuspecting person into giving away their credentials or personal information by using a website that appears to be legitimate. This fraud has been growing over the past several years and novices are at risk more now than ever. The interesting statistic from the tests is that phishing sites have an average life of only 52 hours, making it extremely difficult to block or stop these sites.

The study used several thousands of malicious pages over the course of July and also timed how long it took for each browser to add the page to a black list. Internet Explorer took an average of just under five hours, with Firefox not far behind. Again Safari lagged behind taking over 54 hours to block a hazardous site.

NSS Labs has a full PDF file detailing the entire testing process and their results.

Thanks to The Patri0t for the tip!

Report a problem with article
Previous Story

Apple board meeting next week to discuss empty seat

Next Story

Sony goes open standard for its Ebook content

83 Comments

Commenting is disabled on this article.

I don't mind the study beeing sponsored by MS. But i would like to have more details like which url was used in the study and such.

i have IE8, Fx, Opera, Chrome, and safari in my notebook..

Firefox chrashes a lot when playing farmtown in facebook. LOL

Yet another misleading story amplified by 'journalists' all over the world..
Firefox, Safari, Chrome etc all periodically downloads FILTERS at certain intervals that determine if the website is 'malicious' or not.

Opera and Internet Explorer, however, asks an anti-malware database whether the website is malware-free or not, on each new webpage/domain.

The anti-phishing scores are NOT related to the browsers themselves. Rather, the winner just uses the most accurate anti-phishing list/database.

What about using web of trust and open DNS with firefox? I know we are talking about the stuff built into browsers, but still.

warwagon said,
What about using web of trust and open DNS with firefox? I know we are talking about the stuff built into browsers, but still.

What about using WOT and OpenDNS with IE ... or Opera ... or Safari?

The answer: they aren't core browser technologies.

Yeah, but some things still need to be done. We need inline spell-check, better tab responsiveness and better standards support.

Disable everything in the "Internet Explorer" section with Sysinternals Autoruns and disable Spybot's Immunize feature if you've ever used it, and watch your tabs fly.

As for spell-checking, I'm pretty sure there's an add-on for that. Or just spell correctly; it's not that hard. ;-)

random_n said,
As for spell-checking, I'm pretty sure there's an add-on for that. Or just spell correctly; it's not that hard. ;-)

i dont want nothing looking over everything i typed! if i misspell something i did it on puropse!!

Good for you, but when you start adding new javascript to your project then, the situation can turn pretty nasty.

I'll use IE6 & 8 over Firefox anyday of the week!!
Same with Seamonkey, K-Meleon, SRWare Iron and Opera!

Couldn't stand IE7.

For those of you who THINK you know what's good, the phishing filter isn't the only thing IE is better at than Firefox either.

FireFox is definately better than IE6 and IE7. However, IMO, IE8 is better at some things than FireFox, and FireFox is better at others. In the end it comes up a tie.

NSS labs? You mean the lab that created "fake" result on one their previous reports? (see: http://my.opera.com/haavard/blog/2009/03/2...ates-statistics).
Why would I trust them this time?

Quickly reading through the report and I noticed they say they "removed firefox 3.5" from the test, because it :

Serious instability where the browser repeatedly crashed (a widely reported issue) along with poor results prevented its inclusion for the sake of fairness


And yet, they keep opera 10, despite saying:
Opera experienced operational issues during the latter part of testing which dragged down Opera 10̢۪s effectiveness

Why do different things for opera and firefox, when both are unstable? Because of the "poor results" in firefox 3.5? Opera 10 was (and still is) in beta. A beta means that the software can cause problems and is not stable. Beta's are never solid and stable, but that's why those releases are being called beta

sirnh1 said,
NSS labs? You mean the lab that created "fake" result on one their previous reports? (see: http://my.opera.com/haavard/blog/2009/03/2...ates-statistics).
Why would I trust them this time?

Quickly reading through the report and I noticed they say they "removed firefox 3.5" from the test, because it :


And yet, they keep opera 10, despite saying:

Why do different things for opera and firefox, when both are unstable? Because of the "poor results" in firefox 3.5? Opera 10 was (and still is) in beta. A beta means that the software can cause problems and is not stable. Beta's are never solid and stable, but that's why those releases are being called beta


Aren't you ignoring the severity of the issue? I'm sure if Opera was repeatedly crashing, they'd have gone back to a previous version too. However, why would it be being a beta make the results different? Generally by that stage most browsers are feature complete.

The report is somewhat misleading but not biased. You forgot the last sentence:

Opera experienced operational issues during the latter part of testing which dragged down Opera 10's effectiveness. Prior to those issues, Opera 10 was comparable with Internet Explorer 8 and Firefox 3.

Kirkburn said,
What makes you think 3.5 would do that much better than 3.0?

Because it claims improved phishing filter abilities and has also mysteriously been omitted from this test.

As bogas pointed out, there is no logical reason for the omission of FF 3.5 other than to intentionally distort the test. Even if we're to presume the test was conducted a long time ago, before 3.5 went gold, then that would mean Opera 10 beta wouldn't be included either since Firefox was already in RC status by the time Opera released their v.10 beta.

geoken said,
Because it claims improved phishing filter abilities and has also mysteriously been omitted from this test.

As bogas pointed out, there is no logical reason for the omission of FF 3.5 other than to intentionally distort the test. Even if we're to presume the test was conducted a long time ago, before 3.5 went gold, then that would mean Opera 10 beta wouldn't be included either since Firefox was already in RC status by the time Opera released their v.10 beta.


So, the fact they gave a reason why 3.5 was missing doesn't matter to your conspiracy theories then?

It does indeed have improved phishing filters, but you can't put a value on how much better it would perform.

Frankenchrist said,
From the NSS labs blog: Note: NSS Labs developed the test methodology and infrastructure independently. Microsoft provided funding.
Link > http://nsslabs.blogspot.com/2009/03/web-br...y-socially.html

For this report, they only say: NSS Labs live testing methodology represents an accurate, real-world testing that can be performed on information security products.

So take it for what's it worth...


The source of funding doesn't immediately bias results, y'know. Say MS wanted people to see all the work they've been putting in, and no-one's done an independent test to prove it: what do you expect them to do?

They asked Google and Mozillafor funding as well, but they didn't want to pay anything. And Opera said they didn't care about these kind of tests.

"We invited Google, Mozilla, Apple, Opera to participate, but they didn’t even bother to respond, except for Opera, which stated they “don’t really focus on malware."

perhaps next time, those companies will take these NSS guys more seriously...

Perhaps i'm being presumptuous here, but taking into account I.E users would most likely be the ones who would find it harder to tell a phishing attempt from something legitimate, this surely is good news.

Recon415 said,
Firefox likely would have come out on top is 3.5 was tested. They've improved their phishing filter since.

It should be 3.5 vs IE8 or 3.0 vs IE7.

Kosh Naranek said,
They are not testing Firefox 3.5.2 but 3.0.11.
I wonder if that would have made a difference.


wasnt ff released after this test was made?

well, it says on the PDF:

"We would have liked to have been able to test Firefox 3.5 which was released June 30, 2009, and attempted to test it alongside the other browsers. However, serious instability where the browser repeatedly crashed (a widely reported issue) along with poor results prevented its inclusion for the sake of fairness."

that kind of explains why they didn't use Firefox 3.5

thealexweb said,
It should be 3.5 vs IE8 or 3.0 vs IE7.

why? 3.5 only just came out of beta ie8 has been out of beta for a while (along with 3.0)

3.5 can go with IE9 :P

I have serious issues with this report, I just do not believe Safari could have a mere 2% whilst IE and FF could have 80%, Chrome and Opera spacing out the gap in between. I just don't think browsers could suck that much between themselves, this is quite clearly a test that is geared towards aspects IE and FF is good at while is something Safari overlooks.

Make yourself comprehensible and read. My problem is that results should not have such high degree of differences. The method of testing could have meant the test heavily favoured/disadvantages particular browsers.

Remember, this is a lab test. Is a replication of phishing, and by the sounds of it, the same codes is repeatedly. If Safari just does not response to this type, then it just doesn't response. But it may be better in other areas, hence 2% is not an indicative value.

It's a lab test only, i.e. only gives you a rough idea on what's going on. And a little offtopic, but it's the same when all those speed tests claim that Safari or Chrome is 10x faster than IE. It's simply not true! For instance, neowin.net takes 7-8 seconds to load with Chrome in my PC, and it definitely does NOT take 70-80 secs to load with IE. lol.

Eddo89 said,
Make yourself comprehensible and read. My problem is that results should not have such high degree of differences. The method of testing could have meant the test heavily favoured/disadvantages particular browsers.

Remember, this is a lab test. Is a replication of phishing, and by the sounds of it, the same codes is repeatedly. If Safari just does not response to this type, then it just doesn't response. But it may be better in other areas, hence 2% is not an indicative value.


I don't get your point: the value is low, yes. Why does this make it "wrong"?

kaixi said,
It's a lab test only, i.e. only gives you a rough idea on what's going on. And a little offtopic, but it's the same when all those speed tests claim that Safari or Chrome is 10x faster than IE. It's simply not true! For instance, neowin.net takes 7-8 seconds to load with Chrome in my PC, and it definitely does NOT take 70-80 secs to load with IE. lol.

I think the problem you have is your network speed.

It takes a little over a second for IE to render Neowin, it takes Chrome and Firefox about the same, give ot take a few milliseconds. That's what I care about.

It was conducted by another entity. It's very common for a company to commission a study of their products by an outside reviewer. Every other company does the same thing.

andrewbares said,
Because we all believe this random commentor? Right. I'd trust Neowin first.

Is Google a random commentator? It's the first or second hit...
http://www.pcworld.com/article/170231
/ie_8_beats_competition_in_microsoftsponsored_security_tests_updated.html://http://www.pcworld.com/article/1702...ts_updated.html

IE 8 Beats Competition in Microsoft-sponsored Security Tests

Internet Explorer 8 blocked about four out of every five sites that attempt to trick visitors into downloading malicious software in browser security tests performed by NSS Labs, according to a report released yesterday.

In the Microsoft-sponsored tests, Firefox 3 came in at a distant second with 27 percent. Safari 4 scored 21 percent, Chrome 2 blocked 7 percent, and the Opera 10 beta was barely there with a 1 percent block rate. The tests did not include sites that use hidden exploits and drive-by-download attacks to attempt to install malware without your ever having a chance to recognize an attack.

Rick Moy, President of NSS Labs, provided details about the company's test methodology, URL sources and why it left out exploit testing.

Per Moy, the company's methodology was in place before Microsoft contacted NSS Labs about performing the test. Microsoft asked plenty of questions about the methodology, but NSS Labs didn't change the methods used for Microsoft's test. Microsoft paid for a private report, and presumably could have chosen to not release the results had they not been complimentary, but Moy says Microsoft didn't push to change the methodology or source URLs to favor its browser.

IMHO, this is as relevant as one trillion Firefox downloads, it's meaningless statistics. Pretty much any modern browser will give you reasonable security, and you know what? People will still get exploited, because the biggest security flaw is the bit between the keyboard and the chair.

andrewbares said,
Because we all believe this random commentor? Right. I'd trust Neowin first.

No, I would trust the fanboy who can't believe that MS could not do anything wrong. He must be right!!!

Arkos Reed said,
It was a Microsoft sponsored study if you check the sources....

Your not actually trying to say that the results are a lie are you? I don't know about in America, but in the UK that sort of thing isn't only immoral, but it's illegal.. false advertising. Microsoft may have paid for the study, but I highly doubt the results have been fabricated.

TCLN Ryster said,
Your not actually trying to say that the results are a lie are you? I don't know about in America, but in the UK that sort of thing isn't only immoral, but it's illegal.. false advertising. Microsoft may have paid for the study, but I highly doubt the results have been fabricated.

It is not illegal in the US. In the UK they made a fuss about iphone ad claims taht you could view all the net, when it didn't have flash. No such problem in the UK. In fact, it is fine to outright lie in the US, just look at fox news.

Internet Explorer is a very good browser. As are Firefox, Opera, Safari, Chrome. We are living in all-of-them-are-good age.

Well, I'm web developer. Several thousand lines of code in the last weeks, 2 workarounds for Opera, 0 for IE8, Firefox and Safari. XHTML1.1, CSS2, validated. So... Internet Explorer has become a very good browser, yes.

Archangel Tyrael said,
Internet Explorer is actually good at something?

Yup, I've read reports on this before, and various comparisons, and this is pretty much The Thing it's best on.

Islander said,
Well, I'm web developer. Several thousand lines of code in the last weeks, 2 workarounds for Opera, 0 for IE8, Firefox and Safari. XHTML1.1, CSS2, validated. So... Internet Explorer has become a very good browser, yes.

Apparently you aren't using the more modern web technologies like SVG, HTML 5. :)
If the web didn't have IE (including IE 8), we'd basically not need Flash *or* Silverlight anymore, for most of their basic uses.

This is a big deal.

Besides, IE doesn't support XHTML very well unless the web developer goes through hoops:
http://www.w3.org/MarkUp/2004/xhtml-faq#ie

It usually renders XHTML documents as HTML. Or always, if you haven't done that, and serve the document with the HTML MIME type.

Since you're serving XHTML 1.1, it's even against the spec to probably do it the way you do to get IE to render it, without going through the aforementioned hoops:

Why is it disallowed to send XHTML 1.1 documents as text/html?

XHTML 1.1 is pure XML, and only intended to be XML. It cannot reliably be sent to legacy browsers. Therefore XHTML 1.1 documents must be sent with an XML-related media type, such as application/xhtml+xml.


I'd suggest following the standards more easily, and only build HTML 4.01 documents, until IE fully supports XHTML without these hacks.

More modern web technologies ? Are you talking about Silverlight ? Or is it CSS3 and HTML5 that aren't even finished, let alone standards ?

IE8 is great for viewing websites that use today's technology. If you want to use "beta" technology then you can use Firefox/Opera/Chrome, but that doesn't mean in any way that IE is a bad browser.

If you are developing HTML5 and SVG sites now, your target market obviously isn't very large. Anyone can design or code to those standards, not many clients will be able to view them on their corporate networks.

kheldorin said,
What can those beta technologies do that today's technologies can't do better? It's just politics and hype.

And that's just pointless cynicism. Seriously, do you actually believe all new web tech brings nothing to the table?

Jugalator said,
Apparently you aren't using the more modern web technologies like SVG, HTML 5. :)
If the web didn't have IE (including IE 8), we'd basically not need Flash *or* Silverlight anymore, for most of their basic uses.

This is a big deal.

Besides, IE doesn't support XHTML very well unless the web developer goes through hoops:
http://www.w3.org/MarkUp/2004/xhtml-faq#ie

It usually renders XHTML documents as HTML. Or always, if you haven't done that, and serve the document with the HTML MIME type.

Since you're serving XHTML 1.1, it's even against the spec to probably do it the way you do to get IE to render it, without going through the aforementioned hoops:

I'd suggest following the standards more easily, and only build HTML 4.01 documents, until IE fully supports XHTML without these hacks.


HTML5 and CSS3 aren't finished, thus not W3C recommendations.

And FYI, there was a revision to XHTML 1.1 recently that allows it to be sent with the text/html MIME type, the validator no longer throws a warning and pages render fine for me in IE8.

Wikipedia seems to be able to render SVG output to PNG fine for IE or non-SVG supporting browsers last time I checked.

Athernar said,
Wikipedia seems to be able to render SVG output to PNG fine for IE or non-SVG supporting browsers last time I checked.

I like the way you dodge an issue by giving an example of a site which supplies alternate content to various browsers. By your logic IE6 works fine because _insert site here_ facilitates IE6 via a separate style sheet.

geoken said,
I like the way you dodge an issue by giving an example of a site which supplies alternate content to various browsers. By your logic IE6 works fine because _insert site here_ facilitates IE6 via a separate style sheet.


I like the way you to try to compare a vital part of a webpage to something that isn't, even if every browser supported it. By your logic we wouldn't distinguish between anything.

Archangel Tyrael said,
Internet Explorer is actually good at something?

This is more FUD, like Steve Ballmer's "Most Netbooks returned run Linux" FUD which Dell disproved recently. They make it sound like there is a significant advantage to IE, but there isn't. Look at the test results, statistically there's no difference between IE and Firefox.

Mean block rate for phishing:

IE8 - 83%
Firefox - 80%

Margin of error = 3.96%

Zero hour attack protection (new sites):

IE8 - 52-71%
Firefox - 48-66%

Average response time (in hours):

IE8 - 4.96
Firefox - 5.24

Islander said,
Well, I'm web developer. Several thousand lines of code in the last weeks, 2 workarounds for Opera, 0 for IE8, Firefox and Safari. XHTML1.1, CSS2, validated. So... Internet Explorer has become a very good browser, yes.

I've been working on a project where I've had to make workarounds for every single browser: IE, Opera, Firefox, Safari.

The other browsers are only starting to get up to snuff with standards just as IE is. FF2 imo was just as bad with standards as IE6.

I stopped using IE8, was stoked about it at first, but waiting a minute for a tab to open is BS, back to FF. And ya its a new laptop, and Im not the only one with the problem.

Zilos said,
I stopped using IE8, was stoked about it at first, but waiting a minute for a tab to open is BS, back to FF. And ya its a new laptop, and Im not the only one with the problem.


You had a bad addon. Bad addons break Firefox, too. I use IE8 exclusively now and my tabs open as soon as I create them.

Archangel Tyrael said,
Internet Explorer is actually good at something?


I use the netcraft bar on IE and Mozilla. Wouldn't know anything on IE actually blocking something

People need to stop dissing IE, now that IE8 is out.

Maybe it doesn't support everything latest and new (beta), but it does support the most current standards (stable).

I never had any slow experiences using IE8. It works just as well as the other browsers I've used on this computer.

Why would you invest a bunch of time into making huge corporate web-sites with an unfinished technology that will change and especially when not every browser supports the full set. Seems like you'd just end up having to redo the site. Waste of time. HTML 5 support is a non-issue for now.